fatalrat | 76a65ecfc54d6ef74020e0b9ab497a3abf7e1709c40cc071535cd4bae3c82783

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

名单助手PDF.exe
Size

6.1MB
MD5

f24efc53f425d85f86e7d4e2000dbc2a
SHA1

3d29c3ea01714fe3f757c104f44281e2335d278b
SHA256

d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f
SHA512

ad88e648c3124fc379784887e7d6cbb3576eb9bae9cc8400c9d1ed7b093c1c8c691bd98f9a43f8a6a8cd33db403888f4106fef70697b90a8670227fd334a1813
SSDEEP

98304:4YYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:niby94pFKjBGr97eL

Score

10^/10

fatalrat gh0strat discovery infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral6/memory/4180-81-0x00000000039D0000-0x0000000003B1D000-memory.dmp	family_gh0strat
behavioral6/memory/4180-83-0x00000000039D0000-0x0000000003B1D000-memory.dmp	family_gh0strat
behavioral6/memory/4180-84-0x00000000039D0000-0x0000000003B1D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral6/memory/4180-65-0x0000000002450000-0x000000000247A000-memory.dmp	fatalrat
behavioral6/memory/4180-64-0x00000000022B0000-0x00000000022E2000-memory.dmp	fatalrat

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

1L1K1KF.exe

pid	Process
4180	1L1K1KF.exe

Loads dropped DLL 1 IoCs

Processes:

1L1K1KF.exe

pid	Process
4180	1L1K1KF.exe

Drops file in System32 directory 1 IoCs

Processes:

1L1K1KF.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1L1K1KF.exe	1L1K1KF.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral6/memory/4180-81-0x00000000039D0000-0x0000000003B1D000-memory.dmp	upx
behavioral6/memory/4180-78-0x00000000039D0000-0x0000000003B1D000-memory.dmp	upx
behavioral6/memory/4180-83-0x00000000039D0000-0x0000000003B1D000-memory.dmp	upx
behavioral6/memory/4180-84-0x00000000039D0000-0x0000000003B1D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1L1K1KF.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1L1K1KF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1L1K1KF.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1L1K1KF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	1L1K1KF.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

名单助手PDF.exe1L1K1KF.exe

pid	Process
4936	名单助手PDF.exe
4936	名单助手PDF.exe
4936	名单助手PDF.exe
4936	名单助手PDF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe
4180	1L1K1KF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1L1K1KF.exe

description	pid	Process
Token: SeDebugPrivilege	4180	1L1K1KF.exe
Token: SeDebugPrivilege	4180	1L1K1KF.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\名单助手PDF.exe
"C:\Users\Admin\AppData\Local\Temp\名单助手PDF.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936

C:\ProgramData\9SCSCV\1L1K1KF.exe
C:\ProgramData\9SCSCV\1L1K1KF.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\9SCSCV\1L1K1KF.exe

Filesize
233KB

MD5
4f9c6e1a88e9a25dff08db5c05b07a15

SHA1
c6375b4ac7fa362064e4eeba9442c12b9bfb7238

SHA256
9714e568328990ce76669b10573032c34b8617d6c292dafbf509bb59de9d86bc

SHA512
3c0faac411137c73fa5e1dffd2c696ced0ccc221b9974fed3bd158b7b6bf4e002162c4f0d4f41105483eb16c6220e20fe48a65adf8f6278882d0d0ff0727726b

Download Submit
C:\ProgramData\9SCSCV\PBVM90.dll

Filesize
2.2MB

MD5
6763be58feb53c3b430c94277b99adcb

SHA1
94008b6cd06888df63542969f3b1007a85d2fa1b

SHA256
c072f5f0e28cbc8cb347a7736371b57d6a9192667122fbb83fd4f436529f96ef

SHA512
4aa0814c5f296adf7dfdc8bb7879b447d6d404e3fe54af5293bfe6db55d1329bb87ccee6bc415b310f9e49e32f789fe3549d6a99045cd036362a8a4f2945c1a1

Download Submit
C:\ProgramData\9SCSCV\longlq.cl

Filesize
1.2MB

MD5
eab35abc0ae31018b3f0c64fb93b785b

SHA1
be2468ea6292889e8c58306aacbc875147e29a00

SHA256
5b8e39728ad4b2ec68d5b3e0af4dfa914a26812bbdca20198d3fe0d40397126a

SHA512
c1555252c93c314a8d26ef018afcb54937abc0b5e755fbc3d6a3bcda7ec796fddca48ffb215cdcb1a92edb2361122d273b1c40987cd2f4c2fe754a2be8f6ae06

Download Submit
C:\Users\Admin\AppData\Roaming\YFYIY\Q9T9.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\YFYIY\website_secure_lnk.lnk

Filesize
797B

MD5
f23bd052527d0fae7b10bc990c9eaf65

SHA1
dd674c88be6395dc0e10920c4ed3e79fd0b68587

SHA256
929228b69b920f92d17635da1615c60759ecbc16767feed4ba107838d4f23bae

SHA512
d89f9df93b464c7570d8990be33bd4ae62f67c434cbaebefc903d45fb4ad523c43633e02bd9060bd774b216c3a63e09dab0d36e30cb86e74b96da035112c4c7c

Download Submit
C:\Users\Public\SBSBVB

Filesize
1.1MB

MD5
9bfaab258ac336e40145a0e98c4d0639

SHA1
1bbab07dddf56f3fd43c1c61d38b11dd121795c6

SHA256
53a844c36f87b391260bfca420e9cdb46770e42a4b2a4ad4be925ad381830eb7

SHA512
5adc1903d385943fa999aa1541ee101ca0d38d9bb602c4a36e690f9099eb3b3df99b2d65c4f97f3abfcd8f8a5767d1493b59b88f9b68dc8c09205b380e782c19

Download Submit
memory/4180-64-0x00000000022B0000-0x00000000022E2000-memory.dmp

Filesize
200KB

Download
memory/4180-81-0x00000000039D0000-0x0000000003B1D000-memory.dmp

Filesize
1.3MB

Download
memory/4180-84-0x00000000039D0000-0x0000000003B1D000-memory.dmp

Filesize
1.3MB

Download
memory/4180-65-0x0000000002450000-0x000000000247A000-memory.dmp

Filesize
168KB

Download
memory/4180-83-0x00000000039D0000-0x0000000003B1D000-memory.dmp

Filesize
1.3MB

Download
memory/4180-63-0x0000000002410000-0x000000000244B000-memory.dmp

Filesize
236KB

Download
memory/4180-78-0x00000000039D0000-0x0000000003B1D000-memory.dmp

Filesize
1.3MB

Download
memory/4180-70-0x0000000002410000-0x000000000244B000-memory.dmp

Filesize
236KB

Download
memory/4936-77-0x0000000003410000-0x00000000036DD000-memory.dmp

Filesize
2.8MB

Download
memory/4936-76-0x00000000022D0000-0x00000000028B9000-memory.dmp

Filesize
5.9MB

Download
memory/4936-54-0x0000000003410000-0x00000000036DD000-memory.dmp

Filesize
2.8MB

Download
memory/4936-1-0x0000000003410000-0x00000000036DD000-memory.dmp

Filesize
2.8MB

Download
memory/4936-0-0x00000000022D0000-0x00000000028B9000-memory.dmp

Filesize
5.9MB

Download
memory/4936-3-0x00000000022D0000-0x00000000028B9000-memory.dmp

Filesize
5.9MB

Download